Thursday 4 October 14:30 - 15:00, Red room
Jan Sirmer (Avast Software s.r.o)
Adolf Streda (Avast Software s.r.o)
At the end of April 2018, while monitoring one of the branches of the Necurs botnet, we observed new scripts being distributed by the botnet. These scripts surprisingly had bot capabilities themselves, even in their latter stages. In our presentation we will dive into the results of our analysis of scripts with bot capabilities, spread by a botnet. The analysed scripts were spread by the Necurs botnet through spam emails, and while the initial infection chain was rather short, the multiple stages thereafter included capabilities to make it a fully fledged botnet. The distribution of these scripts is an interesting step out from the standard behaviour of the Necurs botnet, and we will therefore share information about the branch of Necurs we are monitoring, the changes it underwent in a year, and detailed analysis of the script bot itself. As the code involved in the infection chain was not heavily obfuscated, the analysis will be interlaced with code examples. Our analysis provides detailed information about the function and behaviour of the scripts, the origin of the information and a comparison of the scripts' versions over time. After we explore the scripts' whereabouts, we will again dive more deeply into the Ammyy-like malware infection chain.
Jan is a malware analysis team lead at Avast Software. His main specialization is analysing malicious Java threats, Android applications and exploits, macro viruses, web-based malware and other non-executable malware. During the course of his career, Jan has authored blog posts about phishing threats, malicious web exploits and Android threats. In the past, he has successfully presented his research at AVAR, FIRST, Virus Bulletin, RSA and WebExpo.
Adolf Streda is a reverse engineer at Avast Software. He specializes in botnets, more specifically botnet communication analysis and information extraction. He also currently studies cryptography at the Faculty of Mathematics and Physics, Charles University. So far, he has authored several blog posts about information security and Necurs botnet campaigns.
Anton Cherepanov (ESET)
Martijn Grooten (Virus Bulletin)
Joe Slowik (Dragos)